Researcher Will Expose 20 Hackable Apple Security Flaws

Charlie Miller is an NSA-trained hacker with an elite reputation for tracking down dangerous security flaws in software. But his latest work could be subtitled "Apple Hacking For Dummies."

Later this month at the CanSecWest security conference in Vancouver, Miller plans to unveil research that he says has turned up 30 previously unknown critical security vulnerabilities in common software, 20 of which are in Apple's Preview application. In other words, he says he's found 20 different ways that a cybercriminal could hijack the machine of any Mac user tricked into opening an infected PDF--or given that Safari uses the same code as Preview to render PDFs, simply visiting an infected Web page.
That's a record haul of security bugs even for Miller, a researcher for Baltimore-based Internet Security Evaluators who has become one of the world's most prominent Mac hackers after revealing methods for hacking the iPhone via its Safari browser in 2007 and via text message last summer.

But Miller says his goal with this latest research isn't to show off his skills, so much as to demonstrate just how easy it is to find hackable bugs in common software. The 36-year old researcher used a technique known as "dumb fuzzing" to perform a side-by-side comparison of four different software applications: Adobe Reader, Apple Preview, Microsoft PowerPoint and Oracle's OpenOffice. He wrote a simple Python script--just five lines of code--that randomly changes one bit of a PDF or PowerPoint file, plugs the file into the target application to see if it crashes, and then changes another bit, repeatedly tweaking and testing.

After running his fuzzer program on the applications for 3 weeks each, Miller found nearly a thousand unique ways to make the programs crash, and combed through those data to find which of those bugs allowed him to take control of the program. The results don't look good for Apple: 20 exploitable bugs in Preview compared with either 3 or 4 each in Reader, PowerPoint, and OpenOffice.

Miller says he was surprised that he was able to find any bugs at all with the simple method, let alone 20 in a single program. He says the high number of bugs shows that companies like Apple still aren't taking basic steps in their own security testing. “It’s shocking that Apple didn’t do this first,” Miller told us in an interview. “The only skill I’ve used here is patience.” Apple didn't respond to our request seeking comment.

Miller's research also offers one of the first head-to-head comparisons of Apple's security with that of similar software. Adobe, for instance, has increasingly been seen over the last year as a common entry point for malicious hackers. Verisign's security division iDefense tracked 45 new vulnerabilities exposed by hackers and security researchers in Adobe' s Reader software last year, triple the number from the year before. But Miller's research seems to show that Apple's security team may be far sloppier still.

Even so, Miller doesn't confine his criticism to Apple. "Microsoft, Apple, and Adobe all have huge security teams, and I'm one guy working out of my house," he says. "I shouldn't be able to find bugs like these, ever."

Aside from shaming the industry with his research, Miller has other plans for the CanSecWest conference. For the last two years, Miller has been a winner of the conference's Pwn2Own competition, which pits hackers against each other in a race to compromise a target computer and win cash prizes, along with the computer itself. In 2008, Miller won by hacking a Macbook Air in two minutes. This year's targets include two rounds, one of browsers and one of smartphones including the iPhone, along with BlackBerry, Android and Nokia devices.

Miller hasn't yet informed Apple about his new haul of bugs and he says he hasn't decided yet what to do with them. He may see try to determine which of the flaws would work in iPhone's version of Safari, and keep one or two in reserve for the Pwn2Own competition, along with ammunition to hack the iPad when it launches next month.

He's also considering keeping the details of his bugs secret and watching to see how long it takes the software vendors to patch them after his Vancouver talk. While that would leave users vulnerable to the secret vulnerabilities he's found, Miller says it could also help reveal more about just what software companies are doing--or not doing--to patch their products' flaws.

"The moral of the story is that if Apple wants to keep its products secure, it needs to be doing what I'm doing," says Miller. Until then, it seems, he'll just have to keep hacking their products for them.